Stuxnet spyware targets industrial facilities, via USB memory stick

Beware the USB memory stick. Infected sticks are the means by which a mystery spyware, dubbed Stuxnet, is penetrating control systems of industrial facilities and utilities around the globe, say cybersecurity experts.

Cyberspies have launched the first publicly known global attack aimed at infiltrating hard-to-penetrate computer control systems used to manage factory robots, refineries, and the electric power grid.

The ultrasophisticated attack was discovered last week, but information about it – including the full range of capabilities of the espionage software – continues to emerge. The spyware had spread for at least a month undetected and has already penetrated thousands of industrial computer systems in Iran, Indonesia, India, Ecuador, the United States, Pakistan, and Taiwan, according to a Microsoft analysis.

The attack is part of a sophisticated new wave of industrial cyberespionage that can infiltrate corporate systems undetected and capture the "crown jewels" of corporations – proprietary manufacturing techniques that are worth billions, experts say. It's significant, too, because of its potential to infiltrate and commandeer important infrastructure, such as the power grid.

No one knows who's behind it. Cybersecurity analysts aren't even sure yet what the spyware's creators intend it to do to those industrial systems. The intent could be to sell corporate proprietary secrets – or to seek an advantage over the US in some future assymetric conflict, such as a cyberwar.

"We have not seen anything like this before aimed directly at the industrial control system environment," says Walt Boyes, a control systems security expert and editor in chief of Control magazine. "It's a clear-cut case of industrial espionage. We don't know its ultimate aim yet." But, he says, the attack is aimed specifically at the company that sells the lion’s share of industrial automation software to the electric power sector in North America and Western Europe. "That's really scary," Mr. Boyes adds.

USB memory stick the tool of choice

The spyware, dubbed the Stuxnet worm by Microsoft, uses the lowly, ubiquitous USB memory stick as its delivery vehicle. But others say it also has the attributes both of a “trojan” program that gains command of a system and of a virus that replicates. When an infected stick is plugged into a computer, the spyware instantly and almost invisibly loads itself onto that computer's system. In a never-before-seen twist, it does this without the user taking any action or clicking on any button. The spyware then creates a secret "back door" for the attacker to access and control the computer remotely, say computer security experts.

But what makes security experts' hair stand on end is what the cyber-spy program does next. It searches the victim computer for the database of a supervisory control and data acquisition (SCADA) software program created by Siemens, the electronic control systems giant. That specialized software is used to run chemical plants and factories – as well as electric power plants and transmission systems worldwide.

The only thing known for sure about the attackers' goals is that the software attempts to harvest data from a history database within the Siemens software – and send it to servers on the Internet. How successful it has been in doing this isn’t known. In a statement on its website, Siemens said Friday that "we know of two cases worldwide where a WinCC computer has been infected. A production plant has so far not been affected." The company is trying to determine if the spyware, besides attempting to send process and production data, "is able to send or delete system data, or change system files."

Attackers' intentions unclear

But the breadth of the threat could be far larger. The spyware has at least 5,000 functions, and only that one basic function – the database download – is well-understood so far, Frank Boldewin, an independent computer security researcher analyzing Stuxnet, writes in an e-mail interview.

"It's still unclear what exactly are the intentions of the attackers," he writes. "Someone might slightly change a process course, shut down the SCADA control servers, deleting the data base and so forth with a sabotage factor in mind, but I haven't found any code-snippets yet which instruct a hacked SCADA system to do so."

Electric utilities, like many companies, are known to be under attack around the clock by attackers probing their Internet firewalls. News reports last year suggested that some power-grid defenses may already have been penetrated by elite nation-state cyberattackers who may have planted "malware" bombs to deactivate or destroy a power system, or may have installed trap-door access for a future covert attack.

"When power plants got hit before, it was always collateral damage from other Internet-based attacks," says Eric Byres, a controls systems expert with Byres Security in Vancouver. "Now it's clear that software-running generators and transmission systems and chemical plants are no longer just collateral damage – they are in the bull's-eye."

Symantec, the big antivirus company, was recently reporting 9,000 attempted infiltrations per day, worldwide, using the Stuxnet zero-day flaw in Microsoft operating systems. Microsoft reports about 1,000 new computers infiltrated per day. Any new USB drive or any device with a computer memory chip –including cameras and music players – that are plugged into an infected system become a transmitter of the worm.

Home computers vulnerable, too

Any computer hit by the spyware – even home computers that don't have Siemens software – will have a "back door" installed on it that could potentially be exploited later, Mr. Byres says. Antivirus companies are working on a short-term fix. Microsoft, too, is working on a patch for its operating system – and has recommended some interim steps to help safeguard computers. But virtually every computer with a Microsoft operating system today remains vulnerable to attack, say Byres and other experts.

While a wide array of attack software is widely available on the Internet, the unusually sophisticated techniques used in the Stuxnet attack indicate that a large, well-funded, very sophisticated organization is most likely behind the attack, several experts say.

"The significance of this attack is that this is a really serious piece of malware that upped the ante for all of us about what the bad guys are doing," says Ed Skoudis, cofounder of InGuardians, a software security firm. "The techniques being used here go way beyond what we've seen even from sophisticated organized crime groups."

Three things the spyware does

First, the spyware uses a "zero-day" attack – a vulnerability that neither Microsoft nor antivirus companies knew existed. As a result, antivirus and other defenses were unprepared for it.

Second, the spyware managed to fool personal computer security systems by using a real, not a forged, digital certificate (or complex encrypted code) from a computer company named RealTek. That circumvented another Microsoft barrier, giving the spyware automatic permission to install. It's possible that the keys used to create the digital certificates were stolen – a serious problem, but not as serious as if the certificates could be created. A variant of Stuxnet (one that uses another company's apparently stolen digital certificate) has already been found.

Third, the spyware payload – or its core program – was tailored to hunt for Siemens’ SIMATIC WinCC and PCS 7 programs and to download the history of the systems' operations. That history could include pressures, temperatures, voltages, and all manner of SCADA settings for factories or power plant operators, Byres says. Such a history could, for instance, allow the attacker to replicate the proprietary settings for production of a costly chemical. For a utility, it’s less obvious what use that would be, although it may provide a larger understanding of the settings of a power plant’s turbines, for instance.

The spyware was detected by VirusBlokAda, an antivirus company based in Belarus, in mid-June. But its SCADA-specific payload was not recognized until last week. The spyware may even have been active many months earlier, judging from a January 2010 digital "time stamp" on it, says Chester Wisniewski, senior security analyst in the Vancouver office of Sophos, a global computer security firm.

An 'advanced persistent threat'?

The attack suggests that someone with deep pockets is behind it, to be sure. But it also is an example of what some cybersecurity experts call "advanced persistent threat," that is, attackers whose goals are not a big financial payoff but rather an ability to lurk for long periods on corporate or government systems in order to steal secrets – or lay the groundwork for cyberwar.

Security experts in the utility industry say only a nation state or very deep-pocketed organization staffed by professional hackers could have pulled off this triple-play malware.

"One of the best ways to attack the power grid is through a USB stick, to give it to a human being to just walk it past all the cyberdefenses and firewalls that have been set up – and then just put it straight into a vulnerable computer. It's really perfect," says one utility-industry cybersecurity expert who asked not to be named because of his sensitive position.

Microsoft was working on a software patch to address the attack at time of publication. Siemens on Thursday began offering a software tool to deal with the threat. Yet the problem of patching SCADA systems will be slow, difficult, and costly, experts say. In the past, utilities and others have resisted efforts to bolster cyberdefenses largely because of the costs involved in upgrades.

Siemens, GE, and ABB, as well as other control system vendors and users from several countries, will meet in London in October to discuss strategies for blocking the advanced threat now targeting their systems globally, the Sans Institute, a computer security group, reported.

Yet the fundamental threat remains, experts say.

"The good news as far as the power grid goes is that there's awareness, because the threat has been discovered and advisories have gone out," says the utility cyberexpert who asked for anonymity. "The bad news is that not everyone is as mature in dealing with these problems as they need to be. Right now there's a big window of exposure."